security

[Dick Hardt]

On 22-Oct-06, at 7:09 PM, Eddy Nigg (StartCom Ltd.) wrote:

> Dick Hardt wrote:
>> A transaction is only as secure as it's weakest link
> Correct! Lets think about where the weakest link is and raise it a  
> few steps....
>> Perhaps we can discuss this from another point of view. Why should  
>> I need SSL on a blog I am writing a comment on when all the data I  
>> provide the blog will be published and public anyway? An attacker  
>> is not going to see anything more on the HTTP connection then they  
>> would on the blog?
> Not entirely correct. If the login details / sessions and whatever  
> is transmitted in plain, than I can reuse this details  
> perhaps...But this time it's not going to be used at this blog, but  
> on something more serious...That was my reasoning, that all  
> transmissions related to the openid login/access/ whatever has to  
> be secured....Since we are talking about ONE login details at x  
> sites (can be in the thousands at some point) and a validity of a  
> session, than the exploit can be almost disastrous...

I think we are mixing the idP session and the RP session.

I would want my IdP session to be secured by SSL. But I don't need my  
RP session  to be. The message sent to the RP has one-time-use and RP  
specific features so it cannot be replayed or reused. The protocol  
was designed assuming the message is in the clear, and that the  
request could be modified.

If you see a hole in the spec details, please point it out.

-- Dick